GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-21 16:24:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10001 465,76GB Running: 9ijspqys.exe; Driver: C:\Users\Kryzac\AppData\Local\Temp\agrdapob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdab40b0 7 bytes JMP 000007fefdaa00d8 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdab9ec0 7 bytes JMP 000007fefdaa0148 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdabaea0 5 bytes JMP 000007fefdaa0180 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdabb040 5 bytes JMP 000007fefdaa0110 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff9789e0 8 bytes JMP 000007fefdaa01f0 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff97be40 8 bytes JMP 000007fefdaa01b8 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef9314da4 7 bytes JMP 000007fef93000d8 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef9339af4 7 bytes JMP 000007fef9300110 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077171f4e 7 bytes JMP 0000000073e93c50 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077175be5 7 bytes JMP 0000000073e94290 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077181441 7 bytes JMP 0000000073e93ea0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007718ea75 7 bytes JMP 0000000073e93c40 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772188ec 7 bytes JMP 0000000073e936c0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077218971 5 bytes JMP 0000000073e93770 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077218cc7 5 bytes JMP 0000000073e936d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000756b1094 5 bytes JMP 0000000073e93680 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000756b1142 5 bytes JMP 0000000073e93640 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000756b1bb2 5 bytes JMP 0000000073e93780 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000756b1d92 5 bytes JMP 0000000073e93480 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076b48b9a 5 bytes JMP 0000000071693834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076b54c48 5 bytes JMP 0000000073e93400 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076b56bdc 5 bytes JMP 0000000073e93470 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076b62a3e 5 bytes JMP 00000000717cdcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076b62a62 5 bytes JMP 00000000715c7f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076b8cc1a 5 bytes JMP 00000000717cdc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076b8cf72 5 bytes JMP 00000000717cdd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076b9092e 5 bytes JMP 0000000073e92960 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076b9fd61 5 bytes JMP 00000000717cdc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076b9fe2d 5 bytes JMP 00000000717cdb9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b9fe66 5 bytes JMP 00000000717cdb3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b9fe8a 5 bytes JMP 00000000717cdadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076ba7bec 5 bytes JMP 0000000073e933e0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076c5e9a2 5 bytes JMP 0000000073e92c60 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076c5ebdc 5 bytes JMP 0000000073e92c70 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076946143 5 bytes JMP 00000000717ce036 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076553e59 5 bytes JMP 00000000716ad8fb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076553eae 5 bytes JMP 00000000716ae408 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076554731 5 bytes JMP 00000000717cec33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076555dee 5 bytes JMP 00000000717cec7e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000765b93fc 5 bytes JMP 00000000717ce83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000073ec1003 2 bytes [EC, 73] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000073ec1016 2 bytes [EC, 73] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077ab1465 2 bytes [AB, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077ab14bb 2 bytes [AB, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007374388e 5 bytes JMP 00000000717cf282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000737e7922 5 bytes JMP 00000000717cf323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4024] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076482694 5 bytes JMP 00000000717cea33 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077171f4e 7 bytes JMP 0000000073e93c50 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077175be5 7 bytes JMP 0000000073e94290 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077181441 7 bytes JMP 0000000073e93ea0 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007718ea75 7 bytes JMP 0000000073e93c40 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772188ec 7 bytes JMP 0000000073e936c0 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077218971 5 bytes JMP 0000000073e93770 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077218cc7 5 bytes JMP 0000000073e936d0 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000756b1094 5 bytes JMP 0000000073e93680 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000756b1142 5 bytes JMP 0000000073e93640 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000756b1bb2 5 bytes JMP 0000000073e93780 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000756b1d92 5 bytes JMP 0000000073e93480 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076c5e9a2 5 bytes JMP 0000000073e92c60 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076c5ebdc 5 bytes JMP 0000000073e92c70 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076b54c48 5 bytes JMP 0000000073e93400 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076b56bdc 5 bytes JMP 0000000073e93470 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076b9092e 5 bytes JMP 0000000073e92960 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076ba7bec 5 bytes JMP 0000000073e933e0 .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000073ec1003 2 bytes [EC, 73] .text C:\Users\Kryzac\Downloads\9ijspqys.exe[2180] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000073ec1016 2 bytes [EC, 73] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d4e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d4c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d5654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010d5a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d58ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80039872c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039872c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039872c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80039872c0 Device \FileSystem\Ntfs \Ntfs fffffa80042ec2c0 Device \FileSystem\fastfat \Fat fffffa8004bf02c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004ef02c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004af02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6286DD1C-2B36-4B89-9F77-66A830759E47} fffffa8004bd22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{F03D2C49-B413-4062-A2C1-04647DB2B429} fffffa8004bd22c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004ef02c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004ef02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C58578AC-1240-4E55-BD73-F384CEB295D1} fffffa8004bd22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{BAB3C0A2-3C40-46FA-837A-DE66432F61D5} fffffa8004bd22c0 Device \Driver\USBSTOR \Device\000000a6 fffffa80068b82c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004bd22c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039872c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004ef02c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039872c0 Device \Driver\USBSTOR \Device\000000a7 fffffa80068b82c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80039872c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80039872c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ad5060] fffffa8004ad5060 Trace 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004448680] fffffa8004448680 Trace \Driver\atapi[0xfffffa80043b2990] -> IRP_MJ_CREATE -> 0xfffffa80039872c0 fffffa80039872c0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 2.2 ----